Rule: -- Sid: 1394 -- Summary: This event is generated when an attempt is made to possibly overflow a buffer. The NOOP warning occurs when a series of NOOP (no operation) are found in a stream. Most buffer overflow exploits typically use NOOPs sleds to pad the code. -- Impact: This might indicate someone is trying to use a buffer overflow exploit. Full compromise of system is possible if the exploit is successful. -- Detailed Information: This rule detects a large number of consecutive NOOP instructions used in padding code. It's not specific to a particular service exploit, but rather used to try and detect buffer overflows in general. It is common for buffer overflow code to contain a large sequence of NOOP instructions as it increases the odds of successful execution of the useful shellcode. -- Affected Systems: Any x86 programs. -- Attack Scenarios: An attacker uses a buffer overflow exploit which contains the following payload: 90 90 90 90 90 90 90 90 90 90 /bin/sh -- Ease of Attack: Simple. -- False Positives: High, This event may be generated by applications such as ftp and http when binary data is being transfered. A false Positive can be generated if the snort sensor detects text from an IRC client or any other application that passes data plaintext. The event is generated if snort detects several (a) characters in a row - such as 'aaaaaaaaaa'. -- False Negatives: None known -- Corrective Action: Apply a non-executable user stack patch to your kernel Secure programming/execution of a program Check the destination host and service to verify if any buffer overflow vulnerability exists. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com) -- Additional References: --
